Is the frequent attack on DeFi really enough to be “decentralized”?

DeFi —— Decentralized finance, which is different from the traditional centralized finance in the past that requires the participation of many intermediaries such as banks and stock exchanges. DeFi uses blockchain technology to gradually develop financial products that are different from traditional finance. Crazy is sought after. According to data from DeFi Pulse, the amount of DeFi locked positions has soared by more than 200%, from $32 billion in January 2021 to $98 billion in December. As a star product in the decentralized world, DeFi opens the door to open finance for users with its decentralized, non-tamperable, trustless, open, transparent and composable features.

However, is DeFi really “decentralized” enough?

From the perspective of protocol level and interaction methods, DeFi is indeed sufficiently decentralized. However, from the perspective of some attacks, DeFi seems to be less decentralized.

On July 14, 2021, the Polkadot digital collectibles market platform Bondly Finance was attacked, which resulted in the transfer of USD 373,088,023 of BONDLY tokens from the Bondly Staking Rewards contract. According to official investigations, the attackers obtained the chief of Bondly through careful planning. Access to the password account of Executive Officer Brandon Smith. The password account contains the mnemonic recovery phrase of Smith’s hardware wallet, which allows the attacker to access the BONDLY smart contract and the leaked company wallet after being copied.

Interestingly, the hacker appeared to attack another DeFi project in a similar manner four months later.

On November 5, 2021, the DeFi protocol bZx tweeted that the private key controlling the deployment of Polygon and BSC had been leaked, resulting in a loss of funds. According to an official investigation, one of the wallets used by the hacker participated in the Bondly Finance attack. At the same time, this exploit is very similar to Bondly Finance’s: the hacker obtained the developer’s password, and then manipulated a smart contract from the agreement. Soon, bZx said in an updated accident report: “We hired a security company named Kaspersky. After investigation, the security company believed that the attack was probably carried out by the North Korean hacker organization Lazarus.” According to the anti-money laundering under SlowMist AML According to the analysis of the tracking system MistTrack, the attacker’s initial funds came from the 0.9 ETH transferred from Tornado.Cash, and then the attacker performed an operation to spread the stolen funds to multiple addresses. Then the attacker exchanged multiple tokens for ETH, and finally transferred 10960 ETH through Tornado.Cash, and the Ethereum part of the coin washing was basically completed.

Is the frequent attack on DeFi really enough to be "decentralized"?

The above two cases are not related to the contract issue, but the developer’s private key leaked by the phishing attack, which affects the user’s funds. In retrospect, private key leaks seem to have become very popular: Levyathan lost 1.5 million U.S. dollars, 8ight Finance lost 1.75 million U.S. dollars, and Vulcan Forged lost 140 million U.S. dollars… We can’t help but wonder if this means offline entities (DeFi developers) Is it actually in charge of control?

In addition to phishing attacks, front-end attacks are also high-risk strongholds that cause DeFi security problems.

On December 2, 2021, according to official Discord news, the decentralized organization Badger DAO was hacked and user assets were transferred without authorization. On December 9, Badger released a detailed report of the incident. The report stated that the incident was caused by maliciously injected code fragments on Cloudflare Workers. Cloudflare Workers is an interface for running scripts that manipulate and change web traffic as it passes through the Cloudflare proxy. The attacker obtained the API Key of the project party in the Cloudflare backend without the knowledge or authorization of the Badger engineer, in order to inject a series of malicious code into the front-end code of the website. When a user visits a front-end website, a transaction will be initiated after the malicious code is triggered for the user to confirm. After the user confirms the malicious transaction, the token will be authorized (approve) to the attacker, and then the attacker can transfer the token without the user’s knowledge. According to the analysis of MistTrack, an anti-money laundering tracking system under SlowMist AML, hackers exchanged part of the profitable cryptocurrency into renBTC, and used renBTC to cross-chain about 2,100 BTC to 14 BTC addresses. There is currently no change.

In the DeFi world, once a contract is deployed, it cannot be tampered with and cannot be withdrawn. In theory, it will not be subject to human intervention. This ensures its decentralization. However, most of the front-ends are still implemented through traditional architectures, although the web pages themselves It is also constantly evolving and developing, but there are still many potential threats. At the same time, attacks on the front-end are often easily ignored by developers. These error factors make attackers feast after meal.

On September 17, 2021, Sushiswap CTO stated on Twitter that the front end of Sushiswap IDO platform Miso was under attack. An anonymous employee of the contractor injected malicious code into the front end of Miso and replaced the auction wallet address with his own wallet address, resulting in the theft of 864.8 ETH (approximately US$3.07 million).

Current problems have begun to affect the security of funds. As users, they have to think deeply about how to safely participate in DeFi projects, which is almost like walking on thin ice.


In any case, the question of “Whether DeFi is completely decentralized” may always exist. Decentralization is not so much the biggest feature of DeFi as it is the ultimate goal of the DeFi world. Whether as a user, an audit agency or as a project party, after we have experienced so many DeFi security incidents, are we still focusing on smart contracts only? The answer is self-evident.

Participating in a DeFi project is essentially the transfer or authorization of the assets in the hand to the DeFi project party, and there is a security risk that is largely uncontrollable by the individual. What can our ordinary users do? SlowMist has prepared a “DeFi Asset Security Solution” for you, click on the original text to view it.

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.